The latest such unfortunate victim of incompetent and belligerent staff is Ahmed Al-Khabaz, a student at Dawson College, an institution in Montreal, Quebec, Canada.

As part of a school project, Mr. Al-Khabaz was recruited to create a mobile app that would allow students to access their student accounts on a system called "Omnivox" used by most of Quebec's CEGEPs (General and Vocational Colleges). But he and a colleague discovered a serious security flaw that would put nearly 250,000 students' personal information at risk.

Dawson College is located in Montreal, Quebec. [Image Source: Dawson College]

Looking to do the right thing, he scheduled a meeting with Dawson College's Director of Information Services and Technology, François Paradis. Mr. Al-Khabaz recalls, "I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong."

Ahmed Al-Khabaz, a star computer science student was initially praised for finding a serious security flaw, but was subsequently condemned for checking if it had been fixed.
[Image Source: National Post]

Mr. Paradis commended him for his work, as was his colleague, Ovidiu Mija. Mr. Paradis promised that the university and the third-party software partner who produced the software, Skytech, would immediately fix the gaping hole.

But that praise soon turned to condemnation. Days later Mr. Al-Khabaz looked to test if the flaw had been indeed fixed, by probing the system with a vulnerability toolkit, Acunetix.

At that point he received an angry call from Skytech. He recalls in an interview with Canada's National Post, "It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."

The non-disclosure agreement (NDA) both forbid Mr. Al-Khabaz from future access of the company's servers, and forbid him from revealing the security flaw he found to the public.

Mr. Taza disputes Mr. Al-Khabaz's account, commenting, "All software companies, even Google or Microsoft, have bugs in their software. These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information."

He expresses frustration at Mr. Al-Khabaz's decision to probe Skytech's network, but even he dismisses the action as harmless, commenting, "This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.

II. University Expels One of Its Brightest

But here comes the truly disturbing twist -- while Skytech at worst threatened Mr. Al-Khabaz into signing an NDA, his college did far worse. They called his actions in probing Skytech a "serious professional conduct issue", proceeding to expel him.

He recalls a meeting, commenting, "I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem."

The final decision to vote on the expulsion was put before a panel of computer science professors. 14 voted to expel the student for check if the flaw had been fixed, while 1 voted against it. Mr. Al-Khabaz was expelled, and university managers twice denied his appeals.

Only one computer science professor out of 15 voted not to suspend Mr. Al-Khabaz for discrete disclosure and vulnerability testing. [Image Source: National Post]

A distraught Mr. Al-Khabaz comments, "I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled."

The university has generally refused to discuss the case, though it did release a brief statement to the CBC, saying it stands behind its decision and calling Mr. Al-Khabaz's actions inappropriate. It says its typical procedure is to send a warning about conduct-related issues. It did not specifically state whether Mr. Al-Khabaz had received such a warning or whether they were aware of his sanctioned work on the Omnivox app, which triggered the discrete disclosure and testing of the flaw in question.

Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, calls the action atrocious. He remarks, "Dawson has betrayed a brilliant student to protect Skytech management. It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology."

A copy of the expulsion letter is seen below:

The Dawson Student Union is actively appealing the decision.

No one is advocating that hackers take illegal or destructive routes in "encouraging" businesses or academic institutions to fix their flaws. But when responsible individuals are punished and anonymous destructive disclosures often result in no action against the perpetrators, one must wonder whether the wrong message is being sent.

If Mr. Al-Khabaz's account is accurate one must wonder why any student in their right mind would want to attend such an abusive institution.

Editor's Note: Dawson College's webpage is currently inaccessible, although it is unclear whether it pertains to the story.

When he found the vulnerability and reported it he was thanked and set on his way! Two days later, too short of a time to realistically expect a fix, he ran a security scanner against their system to 'verify that the issue was fixed'. That is when things went south and for good reason.

Think. He was no longer messing around with the API, he was now poking at a known vulnerability. He was scanning the entire system for weaknesses. There are practical reason's that those scanners aren't run routinely, namely that they can cause massive and unpredictable problems with the system even if it's totally secure.

Please. If he can do this with a utility that anyone can get and screw up an entire system, the software is crap. They simply didn't want anyone to know they databasing everyone's info with crappy software.

Yes, however it wasn't his job to run a test against the system and, as stated in the grounds for termination letter, doing so was against the IT Policy. Plus his statements seams fishy since the termination letter states his account was suspended after the first attempt. I suspect that after he used the utility the first time to scan the system his account got suspended and he confessed that it was for a project to get his account reinstated. However after the second time they felt as though he was trying to do something malicious.

Sorry, but I don't believe he could be as stupid as that. His access to the system he was scanning was obviously through an authenticated VPN tunnel or similar mechanism that personally identified him against his network IP address. I assume he would have known this from the beginning. And if he didn't then he would have figured it out after the first time when they shut down his personal access in response to his scan.

So basically you're assertion is that after the first attempt was detected, he then proceeded to maliciously do the exact same thing that was caught the first time, from the same authenticated connection that personally identifies him, and without taking any extra measures to protect himself. That would be beyond idiotic, because he'd know that he was going to be detected/caught.

If he's really that stupid, then yes, he deserves to be expelled. But I don't believe that even the worst CS student can be that stupid, and from the article it sounds like he was one of the better ones.

Note that usage of college in Canada would equate to community college in the States. Most decent coders I've met, they usually were able to skip higher education straight into the workforce or were able to get into university (you can get in with C-'s). Colleges tend to be more for trade skill type jobs or university prep...so yeah, I would say him being that stupid is a possibility.

The thing that also stands out is that 13 professors felt the need to expel him for doing something supposedly positive. It's possible that the student was abusing his knowledge prior to disclosing the info and hence the expulsion.

Letter setting out the facts does not indicate any level of abuse. He was expelled for checking for fixes. If they wanted a proportional punishment, they could have removed his network privileges - instead they expelled him for what was obviously an innocent check.

If you felt you were doing someone a favor by doing a security check on their network (that you did in the past), would you have any reason to cover your tracks? Obviously there is a discrepancy between the facts provided by the College about the first instance vs what the student said since the student didn't mention his account being suspended or putting anything in writing. He didn't feel as though getting access to student records via SQL injection was as serious as an offense as the school did.

quote: they expelled him for what was obviously an innocent check.

Can you confirm that this was an innocent check by the information provided by the College? Can you confirm that the student didn't get access to data that he wasn't supposed to see based on the information in the article? SQL injection is not something someone innocently does.

Read the artcle then read the letter.1) He wrote an app as an assigned class project. This app triggered a security hole & he notified the IT department. This was attack #1

2) "Two days later" (After talking to IT that is) he obtained a copy of Acunetix, a free trial of security probing software, ran the tests and found the problem uncorrected. This was attack #2 that resulted in the NDA signed under duress & the subsequent cancelling of all his school computer account access.

There is definitely some CYA on the school's part when they cite an assigned project and immediate notification (that he was praised for even) as a rules violation. Not sure what the rest of the story is as the school is citing privacy as the reason for not explaining their actions.

The school reveals in this letter that it is an SQL code insertion method that was used. That is more than enough info for the script kiddies looking for a target to test their toys on.

The article is based on one persons accounts of the facts. The letter is just the facts. You don't have the College's accounts of the facts. It is simple for someone to distort the facts during their account and we don't have all the information. The truth of what happened could be significantly different.

It would be more likely that he downloaded Acunetix to determine how to make the connection to his app and the College system which is how he found the security hole. Based on the facts, the day after his account was suspended the first time, he admitted in writing to having broken the IT Policy. The second time should never have happened since whatever was submitted in writing after the first suspension should have outlined that the next breach would be grounds for expulsion.

BTW. has anyone confirmed that the SQL injection issue has not been fixed or is this ex-student's account enough?

You are correct. It wasn't his job, but his personal data was vulnerable due to the security hole and He took personal interest in verifying his data was now secured.

He embarrassed the Company and the College. Imagine how the College will have to deal with students finding out their personal information was/is not secure.

This kind of treatment/approach by the college is disgusting and short-sighted.

This student is obviously skilled and could have easily taken a different route. It takes a person of character to do what He did and and the school and company displayed poor character, but then they were just covering their Asses. IMO.

Best Wishes to all the other students at this college and I imagine you've just learned a valuable lesson when dealing with software companies and college campuses. They can't be trusted. Very Sad an educational institution can't learn from it's mistake.

From what I've read they were running an MySQL server that hadn't been updated since 2009. Yeah, 3 years of missing security updates is sure to leave some pretty obvious vulnerability...and this could have been fixed in a few hours.

They are designed to break the system they are scanning, they are hoping to break it in such a way that gets them access but 9 times out of 10 they're just going to plain crash the system or insert bogus data or delete data or lock out legitimate users. When admins run them, they do a lot of preparatory work to make sure they can get the system back to a good state before starting and to make sure that they don't disrupt real users.

I'm not saying he was necessarily doing anything nefarious, I'm saying he was wildly irresponsible. It doesn't take a genius to realize scanning for vulnerabilities is going to be perceived as an attack on the system because that is exactly what it is.

They are designed to TEST the system for vulnerabilities, not BREAK the system, fool... This company does charge quite a bit for its software's full blown edition. I'd think that their lawyers have better things to do than defending the company against lawsuits arising from damage done.

I have to agree that going in and "checking" to see if they fixed the issue 2 days later is a bit much. Obviously, this sounds like a big potential security problem but to think an issue could be developed, tested and deployed in two days is rather naive at best. Isn't the whole point of responsible disclosure to allow the affected party time to properly test and deploy the fix.

A security hole large enough for a college student (who is not trying to hack the system) to find is a rather large hole to leave exposed.If it was my personal data I would want a temporary solution implemented immediately (within a few hours). It does not take that long to shut down a server, but it is a lot of hassle if your personal information is dumped to the web or falls into malicious hands.

quote: When he found the vulnerability and reported it he was thanked and set on his way! Two days later, too short of a time to realistically expect a fix, he ran a security scanner against their system to 'verify that the issue was fixed'. That is when things went south and for good reason. Think. He was no longer messing around with the API, he was now poking at a known vulnerability. He was scanning the entire system for weaknesses. There are practical reason's that those scanners aren't run routinely, namely that they can cause massive and unpredictable problems with the system even if it's totally secure.

I completely agree, but the kids here do not understand what Al-Khabaz have done is wrong. The Dawson College has every right to expel Al-Khabaz because he went against student contract. The reason for this is the first hack was more for white hat that put the shame on Dawson. The second hack is a black hat that put the same on Al-Khabaz. Al-Khabaz should have been patient to wait a month and then ask the system administrator to see if the vulnerability has been fixed. If it is not, Al-Khabaz should then say he is scared that the vulnerability is not fixed to the system administrator and take the issue to main head of Dawson College.

Kids does not understand that businesses and colleges take bureaucratic steps to fix a security issue on their servers that are in production or live.

"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007